European Commission Kicks Off Open-Source Bug Bounty

The European Commission has announced its first-ever bug bounty program, and is calling on hackers to find vulnerabilities in VLC, a popular open-source multimedia player loaded on every workstation at the Commission.

The program has kicked off with a three-week, invitation-only session, after which it will be open to the public. Rewards include a minimum of $2,000 for critical severity bugs, especially remote code execution.

High severity bugs such as code execution without user intervention, will start at $750. Medium severity bugs will start at a minimum of $300; these include code execution with user intervention, high-impact crashes and infinite loops. Low-severity bugs, like information leaks, crashes and the like, will pay out starting at $100.

Also, depending on the cases, the severity can be raised to a higher severity. Crashes in the common formats, like AVI, MP4, MKV and decoders/packetizer of H264, HEVC and AAC are more likely to be raised in severity and/or rewards. Crashes that apply to all inputs will have the same treatment.

Also, “very important and clever bugs” could be rewarded extra payment in bitcoin (Up to 0.1 BTC).

The bounty is administered by HackerOne and has grown out of the EU-Free and Open Source Software Auditing (EU-FOSSA) project, which was created in the wake of the Heartbleed open-source phenomenon to help EU institutions better protect their critical software.

Marek Przybyszewski and Pierre Damas, who work for what is essentially the IT department of the European Commission (known as the Open Source Strategy of the Directorate General for IT, or DIGIT), explained that DIGIT has been introducing free and open source software in its IT stack since at least the year 2000. Since then, it has become strategic in several areas: Linux is used at 80% of the servers of the Commission's Data Centre and the Europa website is running on Drupal, to name a few.

“Where free and open-source software makes up key components, we cannot only rely on commercial backing and sponsoring, but also need to take into account if a project has the capacity to take care of security itself,” they said in a Q&A sent to Infosecurity. “Through the FOSSA project, we are supporting free and open source projects that make up a crucial element to the institutions and to modern economy and society at large.

Julia Reda, a member of the European Parliament from Germany and the originator of the EU-FOSSA project, said that with the decision to elicit the help of outside researchers, VLC was chosen as a natural next step.

“It is important to understand that every day infrastructure we rely on for work, our private lives and our fundamental freedoms—the internet—depends on open-source to work,” she said. “Public institutions such as the EU have a responsibility to ensure the security and reliability of this infrastructure. That is why we are using a small part of the EU budget to finance security research into open source projects, improving security for both the European institutions themselves as well as for everyone using them.”